The security configuration for the Db2 Data Gate synchronization function fails

An error message indicates the failure of the security configuration for the synchronization function.

Symptoms

An error message similar to the following is displayed on the Cloud Pak for Data web interface:
Unable to configure security for synchronization. Unable to test connection.
Check your network connection, validate PKCS12 certificate.

Causes

During the configuration of a data source, Db2 Data Gate tests the connection to Db2 for z/OS®, to the web user interface service, and to the Db2 Data Gate server service on Cloud Pak for Data. The connection test can be broken up into the following steps:

  1. The web user interface service on Cloud Pak for Data connects to Db2 for z/OS by a Java Database Connectivity (JDBC) SSL connection and calls a stored procedure.

  2. The Db2 for z/OS stored procedure connects to the Db2 Data Gate server service on Cloud Pak for Data through an encrypted connection. This is a two-step process:

    1. The stored procedure sends a request to the Stunnel service on Cloud Pak for Data.
    2. The Stunnel service routes the request to the Db2 Data Gate server service on Cloud Pak for Data.
  3. The Db2 Data Gate server service sends a response to the stored procedure.
  4. The stored procedure passes the response to the web user interface service on Cloud Pak for Data.

A failure in any of these steps leads to the failure of the entire connection test. There might be various reasons for this.

Diagnosing the problem

The most likely reasons are listed here. Check each one of them to see if it applies:

  • The inbound network connection to z/OS is not configured correctly. For example, the host name, the port, or the IP address of the Db2 Data Gate instance might be wrong. For more information about the configuration of inbound network connections, see Configuring inbound access to Db2 for z/OS for Db2 Data Gate.

    Also make sure that you run the command F PAGENT,REFRESH to let changes to the configuration of the policy agent take effect.

  • The outbound network connection from z/OS is not configured correctly. The PKCS12 certificate might be invalid, or the user might have insufficient privileges. For more information about the configuration of outbound network connections, see Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate
    The PKCS12 certificate is used by the Stunnel service on Cloud Pak for Data. Verify that the Stunnel service is working by running following command on the machine where Cloud Pak for Data is installed: 
    openssl s_client -connect <hostname>:<port> -msg
    where
    <hostname>
    Is the host name you specified during the creation (provisioning) of the Db2 Data Gate instance.
    <port>
    Is the port number you specified during the creation (provisioning) of the Db2 Data Gate instance.

    The expected output of this command is:

    TLS 1.2 Handshake [length 00c3], ClientHello
... ...
<<< TLS 1.2 Handshake [length 003d], ServerHello
... ...
<<< TLS 1.2 Handshake [length 0631], Certificate
... ...
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
... ...
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
... ...
TLS 1.2 Handshake [length 0046], ClientKeyExchange
... ...
TLS 1.2 ChangeCipherSpec [length 0001]
01
TLS 1.2 Handshake [length 0010], Finished
... ...
  • The route is not configured correctly. To check this:
    1. Log in to the infrastructure node of Cloud Pak for Data.
    2. List the existing routes by running the following command:
      oc get route
    3. Make sure there is only one record for a particular Db2 Data Gate instance. For example: 
      NAME HOST/PORT PATH SERVICES PORT TERMINATION 
dg1591202855434 dg.demo.os.ibm.com 
dg-1591202855434-data-gate-server-svc 11400 passthrough
    The NAME contains the ID (that is, 1591202855434 in the above example) of the Db2 Data Gate instance. This ID is also shown in the URL on the web user interface when you open the Db2 Data Gate instance, for example: 
    https://xxxxx/data-gate/#/details/1591202855434
  • The iptable firewall of Cloud Pak for Data is not configured correctly. If the port of the Db2 Data Gate instance is 443 (the default value), you need not redirect connections over this port.
    However, if the port of the Db2 Data Gate instance is not 443 (for example, the port might be 44443), check the iptable settings:
    1. Log in to the infrastructure node of Cloud Pak for Data.
    2. Display the settings of iptables by running the following command:
      iptables -t nat -L
    3. Make sure the port (for example 44443) is redirected to port 443. The expected output looks like this:
      Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:44443 redir ports 443
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
  • The setting for IP forwarding is incorrect. If the port of the Db2 Data Gate instance is 443 (the default value), you need not configure IP forwarding (net.ipv4.ip_forward)
    However, if the port of the Db2 Data Gate instance is not 443 (for example, the port might be 44443), check if net.ipv4.ip_forward is set to 1 in the /etc/sysctl.conf file. To this end, display the net.ipv4.ip_forward setting in sysctl.conf by running the following command:
    cat /etc/sysctl.conf | grep net.ipv4.ip_forward

    A value of 1 means that IP forwarding is enabled. A value of 0 means IP forwarding is disabled.

    Make sure that net.ipv4.ip_forward = 1 is set.

Resolving the problem

  • If the inbound network connection to z/OS is not configured correctly, correct the configuration by following the steps in Configuring inbound access to Db2 for z/OS for Db2 Data Gate.
  • If the outbound network connection from z/OS is not configured correctly, correct the configuration by following the steps in Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate.
  • If the route is not configured correctly, change the route setting for the Db2 Data Gate instance. The route is set during the creation of the instance (provisioning). So you need to delete the instance and provision a new one.
  • If the iptable firewall of the Cloud Pak for Data cluster is not configured correctly, run the following command: 
    iptables -t nat -A POSTROUTING -j MASQUERADE

    Note that you have to run this command only once for all Db2 Data Gate instances in a Cloud Pak for Data cluster.

    To change the port redirection, for example from port 44443 to port 443, run the following command:
    iptables -t nat -A PREROUTING -p tcp --dport 44443 -j REDIRECT --to-port 443
  • If port forwarding is disabled, run the following command to fix this:
    sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
sysctl -p